Router-behind-router

Currently, router-behind-router does work, but only in certain situations. ICMP (ping) will not make it past two NAT firewalls. Almost every router has a NAT firewall, so unless rules are set in place to allow ping to pass directly to the last router, it may not function.

In this article, we are assuming that you have a connection similar to this: ISP Modem > Router 1 > Router 2, where Router 2 is where you are going to have your VPN. Most GUI interfaces don't allow you to be that selective, so the best advice we can provide in order to maximize the likelihood you will succeed is:

On router 1, the 2nd router needs to have a static IP address

On router 1, set the 2nd router private IP to DMZ

On router 2, set a static IP

On router 2, set the DHCP IP range (the IPs that it will give out to the devices connecting to it) to a completely different private IP range from router 1.

On router 1, disable QoS

At this point, you can try to configure OpenVPN on the 2nd router. This is not something we support, but there have been reports of both successes and failures, so give it a try. If you find a method that works for certain, please share it with us, and we can update this article for others.